Secret Management Configuration
    • 07 Jun 2023
    • 7 Minutes to read
    • Dark
      Light
    • PDF

    Secret Management Configuration

    • Dark
      Light
    • PDF

    Article summary

    Configuring the Secret Management

    By default the secrets-mgmt service is activated as part of the Standalone PAA

    Sample config.yaml

    server:
      port: ${APP_PORT:8072}
      bindIp: ${IP_BIND:127.0.0.1}
    management:
      port: ${MANAGEMENT_PORT:8077}
    log:
      level: "debug"
      format: "json"
      logTo: "rolling"
    #  fileName: "logs/secret"
    rabbitmq:
      enabled: false
    gin:
      mode: ${GIN_MODE:release}  # debug, release
    
    secretStore:
      - id: fileSecret
        type: File
        isDefault: true
        Decoder: Base64
        details:
          path: /app/conf/filename.txt
    
    #secretStore.id- #An identifier for the secret store
    #secretStore.type - The type of secret store, available types: Vault/Environment/File
    #secretStore.isDefault - Indicates whether this is the default secret store. If more than one secret store is defined, the default store is used for operations that do not specify a specific store: true/false
    #secretStore.Decoder - The decoder to be used for the secrets stored in this store: "Base64"/"None"
    #secretStore.details - Additional details related to the secret store configuration
    #secretStore.details.defaultPath - The default path to be used for accessing the secrets in this store if not defined in the scope configuration
    #
    #Configure a HashiCorp Vault
    #The following parameters are required for the configuration of the HashiCorp Vault Secret Store
    #
    #secretStore.details.skipVerify - Indicates whether the prefix the Secret Store URL with https:// or http:// - true/false
    #secretStore.details.url - The URL of the secret store - vault.plainid-vault:8201
    #secretStore.details.timeout - The timeout value to be used when connecting to the secret store - 3s
    #secretStore.details.enginePath - From which HashiCorp Vault Engine root folder should the Secret Management Service access the secrets - secret
    #secretStore.details.PathPrefix - add prefix value as part of the vault path - The prefix to be used for all paths when accessing the secrets in this store
    #
    #secretStore.auth -Authentication details for accessing the secret store
    #secretStore.auth.method - The authentication method to be used for accessing the secret store. Possible values are "Token" and "Kubernetes"
    #The authentication method to be used for accessing the secret store. Possible values are "Token" and "Kubernetes"
    #secretStore.auth.method:Kubernetes
    #secretStore.auth.path (vault-kubernetes) - File path of the k8s authorization value
    #secretStore.auth.role (vault-kubernetes) - The prefix to be used for all paths when accessing the secrets in this store - secrets-mgmt
    #
    #The token value to be used for authentication when accessing the secret store
    #secretStore.auth.method:Token
    #secretStore.auth.tokenValue - the vault token authentication value
    #secretStore.auth.tokenFilePath - file path which holds the token
    #
    #file secret store conf values
    #secretStore.details.path - the file path which holds the file
    #
    #env variable secret store params
    #secretStore.details.name - environment variable name
    

    Optional Settings for the Secret Management Service

    SectionParameterValueDescription
    serverport8072The port number that the server will listen to for incoming requests.
    serverbindIp127.0.0.1The IP address that is allowed to make requests to the secret management service.
    Use 0.0.0.0 to allow connection from every IP address on the local machine
    Make sure you allow access only from approved/permitted IP addresses
    managementport8077The port number that the management service will listen to for incoming requests.
    loglevelinfoThe logging level for the application.
    logformatjsonThe logging format for the application.
    loglogTorollingAvailable options: rolling - cycle through files, up too 100MB of logs, console - logging to stdout .
    logfilenamelogs/secretThe logging output destination.
    rabbitmqenabledfalseIndicates whether RabbitMQ integration is enabled or not.
    ginmodereleaseThe mode that Gin, the HTTP framework, should run in.

    Configure a Secret Store

    The Secret Store is used to obtain the relevant secrets (e.g. Private Keys) from.
    The Secret Management Service supports the following Secret Store Types:

    • HashiCorp Vault
    • Environment Variables
    • Text File

    General Secret-Store Parameters

    server:
      port: ${APP_PORT:8072}
      bindIp: ${IP_BIND:127.0.0.1}
    management:
      port: ${MANAGEMENT_PORT:8077}
    log:
      level: "debug"
      format: "json"
      logTo: "rolling"
      fileName: "logs/secret"
    rabbitmq:
      enabled: false
    gin:
      mode: ${GIN_MODE:release}  # debug, release
    secretStore:
     - id: vault
       type: Vault
       isDefault: true
       Decoder: None # Base64, None
       details:
         defaultPath: vault_
         skipVerify: true
         url: vault
         timeout: 3s
         enginePath: custom
         pathPrefix: prefix
       auth:
         method: Token # Token, Kubernetes
         tokenValue: token
    
    SectionParameterValueDescription
    secretStoreidvaultAn identifier for the secret store
    secretStoretypeVaultThe type of secret store, available types:

    * Vault
    * Environment
    * File
    secretStoreisDefaulttrueIndicates whether this is the default secret store. If more than one secret store is defined, the default store is used for operations that do not specify a specific store.If more than one secretStore is defined as default, or none of the secret stores is defined as default - then the first secretStore will be defined as default
    secretStoreDecodernoneThe decoder to be used for the secrets stored in this store. Possible values are Base64 and None
    secretStoredetailsAdditional details related to the secret store configuration

    Configure a HashiCorp Vault secretStore

    The following parameters are required for the configuration of the HashiCorp Vault Secret Store.

    SectionParameterValueDescription
    secretStoredetails.skipVerifytrueIndicates whether the prefix the Secret Store URL with https:// or http://
    secretStoredetails.urlThe URL of the secret storevault.plainid-vault:8201
    secretStoredetails.timeout3sThe timeout value to be used when connecting to the secret store
    secretStoredetails.enginePathsecretFrom which HashiCorp Vault Engine root folder should the Secret Management Service access the secrets
    secretStoredetails.pathPrefixenvironments/productionThe prefix to be used for all paths when accessing the secrets in this store
    secretStoredetails.defaultPathvault\_The default path to be used for accessing the secrets in this store
    secretStoreauthAuthentication details for accessing the secret storeAdd the relevant attributes, according to the auth.method (Kubernetes or Token - See items below)
    secretStoreauth.methodKubernetesThe authentication method to be used for accessing the secret store. Possible values are "Token" and "Kubernetes"
    secretStoreauth.pathKubernetesFile path of the k8s authorization value
    secretStoreauth.roleKubernetesVault authorization role name
    secretStoreauth.tokenValuetokenThe token value to be used for authentication when accessing the secret store
    secretStoreauth.tokenFilePathtokenfile path which holds the token

    When configuring the vault information in the Scope (Environment Settings > Scopes > Scope > Details) make sure you do not include the enginePath in the Path to Key parameter.

    Configure an Environment Variable secretStore

    The Secret Management Service can also obtain private keys from environment variables, to configure a Secret Store that reads the private keys from environment variables, use the following configuration:

    SectionVariableDefault valueDescription
    secretStoretypeEnvironmentSet the type of the secret store to Environment variables
    secretStoredetails.nameENV\_VAR\_SECRETThe name of the environment variable to obtain the private key from

    Please note, the table above describes just the fields that are specific to the environment variable secret store configuration, additional, general settings are described above.

    ##### Sample configuration

    server:
      port: ${APP_PORT:8072}
      bindIp: ${IP_BIND:127.0.0.1}
    management:
      port: ${MANAGEMENT_PORT:8077}
    log:
      level: "debug"
      format: "json"
      logTo: "rolling"
    #  fileName: "logs/secret"
    rabbitmq:
      enabled: false
    gin:
      mode: ${GIN_MODE:release}  # debug, release
    secretStore:
      - id: ENV_VAR_SECRET
        type: Environment
        isDefault: true
        decoder: Base64
        details:
          name: ENV_VAR_SECRET
    

    Configure a Text File secretStore

    The Secret Management Service can also obtain private keys from text files, to configure a secretStore that reads the private keys from text files, use the following configuration:

    SectionVariableDefault valueDescription
    secretStoretypeFileSet the type of the secret store to text file
    secretStoredetails.path/app/conf/filename.txtThe full path to the file containing the private key

    Please note, the table above describes just the fields that are specific to the environment variable secret store configuration, additional, general settings are described above.

    ##### Sample Configuration

    server:
     port: ${APP_PORT:8072}
     bindIp: ${IP_BIND:127.0.0.1}
    management:
     port: ${MANAGEMENT_PORT:8077}
    log:
     level: "debug"
     format: "json"
     logTo: "console"
    rabbitmq:
     enabled: false
    gin:
     mode: ${GIN_MODE:release}  # debug, release
    ​
    secretStore:
     - id: fileSecret
       type: File
       isDefault: true
       Decoder: Base64
       details:
         path: /app/conf/filename.txt
    

    Scope Level Configuration

    In addition to the configuration of the Secret Management Service and the Secret Store in the Policy Authorization Agent, additional settings can be configured in the PlainID Policy Administration Point (PAP).

    JWT Signing Settings

    JWT Sign In Setting.png

    This section includes the relevant configuration attributes for obtaining the private key that will be used to sign the PlainID Policy Decision Point JWT

    AttributeDescriptionBehavior
    Secret StoreWhich Secret Store to use.A PAA can use multiple Secret StoresIf no Secret Store is defined, the Secret Store that is defined as default=true in the PAA will be used. If a value is specified, the specified secret store will be used
    Path to KeyDefine the path to the location of the key in the vault. Relevant only for Secret Stores of type vault and not applicable for File nor Environment Secret StoresIf not specified, the details.defaultPath from the secretStore configuration will be used
    Key NameDefine the name of the key in the vault.Relevant only for Secret Stores of type vault and not applicable for File nor Environment Secret StoresIf not defined, the PlainID Scope ClientID will be used as the Key Name

    JWT Response Settings

    JWT Response Setting image.png

    AttributeDescription
    AudienceThe value to include in the aud claim
    X509 CertificateThe public x509 certificate that will be published in the PDP JWKS URL - to allow the consumer of the PDP decisions to validate the PDP Signed JWT. The child of the x509 Certificate in the JWKS will be the ClientID of the PlainID ScopeSample JWKS URL
    Token Lifetime - EXP (Seconds)The token lifetime expiration in seconds

    Was this article helpful?